Gymnasium locker rooms may never be secure again, thanks to quick and easy hack.

Share this story

There's a vulnerability in Master Lock branded padlocks that allows anyone to learn the combination in eight or fewer tries, a process that requires less than two minutes and a minimal amount of skill to carry out.

The exploit involves lifting up a locked shackle with one hand while turning the combination dial counterclockwise starting at the number 0 with the other. Before the dial reaches 11, there will be three points where the dial will resist being turned anymore. One of them will be ignored as it is exactly between two whole numbers on the dial. The remaining two locations represent locked positions. Next, an attacker again lifts the locked shackle, this time with less force, while turning the dial clockwise. At some point before a full revolution is completed, the dial will resist being turned. (An attacker can still turn through it but will physically feel the resistance.) This location represents the resistance location. The two locked positions and the one resistance position are then recorded on a Web page that streamlines the exploit.

Further Reading

The page responds with the first digit of the combination and two possible digits for the last digit. By testing which of the possible last digits has more "give," an attacker can quickly figure out which one is correct. By eliminating the false digit from the Web form, the page will automatically populate the eight possible numbers for the second digit of the combination.

Now that the attacker knows the first and last digits and knows the second digit is one of eight possible numbers, the hack is a simple matter of trying each possible combination until the correct one opens the lock. The following video provides a simple tutorial.

Kamkar told Ars his Master Lock exploit started with a well-known vulnerability that allows Master Lock combinations to be cracked in 100 or fewer tries. He then physically broke open a combination lock and noticed the resistance he observed was caused by two lock parts that touched in a way that revealed important clues about the combination. (He likened the Master Lock design to a side channel in cryptographic devices that can be exploited to obtain the secret key.) Kamkar then made a third observation that was instrumental to his Master Lock exploit: the first and third digit of the combination, when divided by four, always return the same remainder. By combining the insights from all three weaknesses he devised the attack laid out in the video.

It's by no means the only way to break the security of a popular padlock. It comes a few years after Master Lock engineers developed new padlocks that resisted a popular form of attacks using shims made from soft drink cans. Kamkar said he has tried his exploit on more than a dozen Master Lock combination locks, and so far it has worked on all of them. In the coming weeks, he plans to unveil more details, including an Arduino-based robot that streamlines the exploit.

Bolt cutters are a lot more obvious than a guy bending over and putting in the combination. Even if the person looks at their phone and takes a little longer. It could easily look like they bought a new lock and haven't memorized the combo yet.

Yep this. It's the difference between shattering a car window, or using a hacked remote to unlock the doors. One is a half dozen 911 calls from passers by, the other people won't give it a second thought.

There are several reductions at play that combine together here -- in the original 100 method, you must prep by producing 12 numbers, where in this attack you only produce 3, and the original attack provides the 3rd number reducing the 1st to 10 possibilities, while this attack *gives* you the 1st number *and* reduces the last to two digits instead of 10, while also reducing the middle digit even further (the original attack reduces middle to 10, while this reduces middle to 8).

-Yes they can be picked if you are a LockSport Expert and can mess with it for awhile. I pick lock everyday and I won't mess with one, not worth my time.

-There was a bypass but it's been long fixed.

-You can still cut them.

And before your too hard on Master Lock (who also owns American Lock now) the dial combo lock cost like 5 bucks and was taylor made for the school market. Security was not their first prioirty. That said, there are worse locks on the market, no name brands, and brands like Brinks, Bulldog, etc.

You can't pass judgement on "Master Lock" based off this product. It's their cheapest, lowest end lock. Even a Master No.1 is better, which is sitll quite easy to pick being a 4 pin lock. If you move up the line to the Pro Series tho, you reach parity with American Lock, you start to see 5/6 pin locks with mushroom top pins and serrated top pins. Good luck picking that shit, yeah there's dozens of video's on youtube of it being done, but it's not practical.

The Maser 175D is also very easy to open, with a bypass. I don't recommend any combination lock for security. Keys are way better for security, not always for practicality tho.

I recently bought a set of lock picks and some locks to practice on, and what I learned that was more important than how to pick locks is that most locks suck in terms of security. In order to be cheaply mass produced they have to take some shortcuts (for a pin and tumbler lock, like most house doors in the US, it's generally in the manufacturing tolerances, though from what I've read, car locks often have much tighter tolerances that make them much more difficult to pick with a normal pick), so this isn't really a surprise to me.

Huh. I recall the older kids at my church cracking Master Locks with ease back in the early to mid 90s. It sure seemed like they were doing some variation of the technique described here. They promised that they'd teach me when I got older but then I stopped going to church...so.

If adding "...with a computer" or "...on the internet" to an existing invention shouldn't be enough to constitute a new patentable invention, then why is taking the same master lock cracking we were doing 30 years ago and adding "...with a website" news?

If adding "...with a computer" or "...on the internet" to an existing invention shouldn't be enough to constitute a new patentable invention, then why is taking the same master lock cracking we were doing 30 years ago and adding "...with a website" news?

If adding "...with a computer" or "...on the internet" to an existing invention shouldn't be enough to constitute a new patentable invention, then why is taking the same master lock cracking we were doing 30 years ago and adding "...with a website" news?

I came here to post "simple hack - as long as you have an internet connection" but you beat me to it.

You're missing part of it, what are l1 and l2? But otherwise, it's kind of interesting, because this looks simple enough to do by hand (and apparently already is done by hand, from some of the comments here).

Ok, I'll be that guy. Why are you posing the instructions to an exploit? Sure, it's easy to find, but why do you feel the need to make it even easier? I thought this wasn't that kind of site.

Because it's interesting. The cat's already out of the bag (and arguably was before this exploit was published, as black hats were as free to study the locks as white hats). Now we get to study the exploit and learn from it. Hopefully Master will learn from it and update its design.

A friend and I used to pop these locks using just a towel. We'd slip it through the lock and then tie the end in a knot. Then we'd just yank real hard or put our foot in it and use our body weight. Every single lock would just pop open. As a result I've never once purchased one. They are simply junk.

I've got a cheap "piggy bank" that was a promo giveaway from a local bank. The only thing interesting about it was that it's an actual mini wooden barrel. The lock, though, is so cheap I never bothered to remember the combo because you can crack it just by feeling the cheap tumblers fall into place as you turn the dial. But hey, it was free.

Now Master key locks, the ones with the squiggly keys cut on both sides, those are a joke. You can make a master key (pun intended) for any one of them by taking a key and cutting away all the tabs, leaving the tabs at the ends to turn the mechanism. The slots they cut are just to clear the internal baffles, so you're essentially cutting every possible slot in the key to clear any possible combination of baffles.

If adding "...with a computer" or "...on the internet" to an existing invention shouldn't be enough to constitute a new patentable invention, then why is taking the same master lock cracking we were doing 30 years ago and adding "...with a website" news?

Yup most consumer locks are a total joke. Just as bad as computer security. A certain brand of bicycle lock can be opened by shoving a BIC pen (same diameter as the core key for the lock) into the keyhole. I'm serious.

Then there are padlocks that have the handcuffs-type key. Single tooth. Jam anything in there and they open.

The combination locks are the worst. Never use those. Anyone can learn how to open them.

If you must rely on a padlock or a bicycle lock, get one with a laser-cut key like the modern cars have.

I recently bought a set of lock picks and some locks to practice on, and what I learned that was more important than how to pick locks is that most locks suck in terms of security. In order to be cheaply mass produced they have to take some shortcuts (for a pin and tumbler lock, like most house doors in the US, it's generally in the manufacturing tolerances, though from what I've read, car locks often have much tighter tolerances that make them much more difficult to pick with a normal pick), so this isn't really a surprise to me.

I recently was given a server rack that someone had lost the keys to and was therefore considered trash, it literally took me 1 second to pick that lock using an old hairpin and a screwdriver. That rack is now sitting in my basement happily serving its intended purpose, it would have probably cost around $1000 to buy.

If adding "...with a computer" or "...on the internet" to an existing invention shouldn't be enough to constitute a new patentable invention, then why is taking the same master lock cracking we were doing 30 years ago and adding "...with a website" news?

MacGyver would open it in three tries.Mr. T would break it off with his bare hands.Chuck Norris would stare at it and it would shatter.

Back in 1987 when I started middle school, we were told "only Dudley locks are allowed on lockers - those Master locks aren't worth the metal they're made of". School teachers in the 80s knew this. 30 years ago.

Let me guess - your next report is on the stunning advances of the new Ford Edsel? /s

You're missing part of it, what are l1 and l2? But otherwise, it's kind of interesting, because this looks simple enough to do by hand (and apparently already is done by hand, from some of the comments here).

They're just loaded from like-named UI fields so I didn't think including their definition would clarify anything. With a small amount of effort the code could be reworked to be far more understandable but I was lazy.

You're missing part of it, what are l1 and l2? But otherwise, it's kind of interesting, because this looks simple enough to do by hand (and apparently already is done by hand, from some of the comments here).

They're just loaded from like-named UI fields so I didn't think including their definition would clarify anything. With a small amount of effort the code could be reworked to be far more understandable but I was lazy.

Fair enough, a note like this would have been helpful though for a full understanding of the algorithm or even just add them as arguments to the function.

Bolt cutters are a lot more obvious than a guy bending over and putting in the combination. Even if the person looks at their phone and takes a little longer. It could easily look like they bought a new lock and haven't memorized the combo yet.